Expert Panel Discusses Privacy Concerns

Privacy, access, and identity are vital to the Obama administration’s effort to modernize the nation’s healthcare information infrastructure, a panel of policy and technology experts told healthcare industry leaders, public policymakers, and policy-influencing organizations at a National Press Club briefing in Washington, D.C., last week cohosted by the Smart Card Alliance Healthcare and Identity Councils and the Secure ID Coalition.

The topic is timely because HIT is getting nearly a $19 billion boost from the American Recovery and Reinvestment Act of 2009. The speakers agreed the sense of urgency and massive investment are good news but that time pressure might also cause problems.

“There is a risk we will focus too much on standards for electronic health records (EHRs) and ways to exchange them at the expense of sound privacy and identity models,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “The critical issues are getting control over who has access to healthcare information and correctly tying the right individual to his or her health records. That means identity management and access authentication security have to be baked-in from the start, not tacked on at the end.”

Correctly identifying patients and their records is difficult just within a single hospital but gets far worse between multiple institutions, according to a leading practitioner and specialist on the subject, Paul Contino, vice president of information technology at Mount Sinai Medical Center in New York. He cautioned that identity management must be addressed correctly up front or “we’re going to have problems with the linkages of electronic medical records” on a regional or even national basis. Mount Sinai revamped patient registration processes and implemented a smart card-based patient card to more accurately link individuals to their medical and administrative records.

Hospitals and other stakeholders also face significantly stronger privacy and security rules along with new financial penalties for violators, according to Richard D. Marks, cofounder and president of Patient Command, Inc. Marks said the healthcare HITECH Act provisions in the American Recovery and Reinvestment Act are a direct effort by the new administration to extend and enforce HIPAA regulations that were largely ignored until now. To put teeth in the enforcement effort, the new legislation has created health record data breach notification rules, fines for failure to protect personal health information, and rights for complainants to share in civil monetary penalties levied on offenders, providing a big incentive for whistleblowers. The civil and criminal penalties are not limited only to institutions but apply equally to negligent CEOs, chief financial officers, chief information officers, and board members, including possible jail time, Marks said.

In this new environment, authentication becomes the biggest business process issue facing industry stakeholders. “What we need is something that is easy for the public to use for authentication, so we can tell who they are precisely,” Marks said.

Another panel member raised the issue of empowering people to manage their own personal healthcare information. William Yasnoff, MD, PhD, chair of the Health Record Banking Alliance and managing partner for NHII Advisors, asked the audience, “Who at this moment has a complete copy of your medical records? For the overwhelming majority of people, the answer is no one.”

Yasnoff argued that the current model—keeping medical records at the place they are created and somehow assembling the information later when you need it—is flawed. He envisions a health record bank, essentially an electronic safe deposit box that provides a secure repository for an individual’s comprehensive health record. The patient would strictly control access to the information, guaranteeing both privacy and consent.

Whether personal healthcare information is stored centrally or at the place it is created, its security is far more critical than even other types of personal information such as credit card accounts, in the opinion of Michael Magrath, director of healthcare and government for Gemalto. Magrath pointed out that if someone steals your credit card number and starts using it online, the bank will replace your financial losses and just give you a new card; however, there is no single issuer there to protect you in the case of healthcare information. “If my personal healthcare records are compromised, there’s no recourse. It’s out there and it’s out there forever,” he said.

Lisa Gallagher, senior director of privacy and security for HIMSS, summed up the panel’s main message to industry stakeholders and policy makers. “It’s vital that the entire healthcare community understand the relationship between security controls and the privacy policies that we are trying to implement at the national level,” she said. “It doesn’t matter what the privacy policy says or how strongly or how often a company promises to meet it, it cannot do so without implementing proper security controls.”